Frank Morgner

21 exploits Active since Sep 2018
CVE-2026-10275 WRITEUP MEDIUM WRITEUP
OpenSC pkcs11-tool Key Generation pkcs11-tool.c test_kpgen_certwrite buffer overflow
A flaw has been found in OpenSC up to 0.26.1. This affects the function test_kpgen_certwrite of the file src/tools/pkcs11-tool.c of the component pkcs11-tool Key Generation Module. This manipulation causes buffer overflow. The attack is possible to be carried out remotely. The complexity of an attack is rather high. It is indicated that the exploitability is difficult. The exploit has been published and may be used. Patch name: 814f745b3b6d100295f65f1935edd33d520d33ab. It is recommended to apply a patch to fix this issue.
CVSS 5.0
CVE-2025-66215 WRITEUP LOW WRITEUP
OpenSC: Stack-buffer-overflow WRITE in card-oberthur
OpenSC is an open source smart card tools and middleware. Prior to version 0.27.0, an attacker with physical access to the computer at the time user or administrator uses a token can cause a stack-buffer-overflow WRITE in card-oberthur. The attack requires crafted USB device or smart card that would present the system with specially crafted responses to the APDUs. This issue has been patched in version 0.27.0.
CVSS 3.8
CVE-2018-16391 WRITEUP MEDIUM WRITEUP
OpenSC < 0.18.0 - Buffer Overflow in Muscle Card Response Handling
Several buffer overflows when handling responses from a Muscle Card in muscle_list_files in libopensc/card-muscle.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to cause a denial of service (application crash) or possibly have unspecified other impact.
CVSS 6.8
CVE-2018-16392 WRITEUP MEDIUM WRITEUP
OpenSC < 0.18.0 - Buffer Overflow in TCOS Card Response Handling
Several buffer overflows when handling responses from a TCOS Card in tcos_select_file in libopensc/card-tcos.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to cause a denial of service (application crash) or possibly have unspecified other impact.
CVSS 6.8
CVE-2018-16393 WRITEUP MEDIUM WRITEUP
OpenSC < 0.18.0 - Buffer Overflow in Gemsafe V1 Smartcard Response Handling
Several buffer overflows when handling responses from a Gemsafe V1 Smartcard in gemsafe_get_cert_len in libopensc/pkcs15-gemsafeV1.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to cause a denial of service (application crash) or possibly have unspecified other impact.
CVSS 6.8
CVE-2018-16418 WRITEUP MEDIUM WRITEUP
OpenSC < 0.18.0 - Buffer Overflow in util_acl_to_str
A buffer overflow when handling string concatenation in util_acl_to_str in tools/util.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to cause a denial of service (application crash) or possibly have unspecified other impact.
CVSS 6.6
CVE-2018-16419 WRITEUP MEDIUM WRITEUP
OpenSC < 0.18.0 - Buffer Overflow in Cryptoflex Card Response Handling
Several buffer overflows when handling responses from a Cryptoflex card in read_public_key in tools/cryptoflex-tool.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to cause a denial of service (application crash) or possibly have unspecified other impact.
CVSS 6.6
CVE-2018-16420 WRITEUP MEDIUM WRITEUP
OpenSC < 0.18.0 - Buffer Overflow in ePass 2003 Card Response Handling
Several buffer overflows when handling responses from an ePass 2003 Card in decrypt_response in libopensc/card-epass2003.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to cause a denial of service (application crash) or possibly have unspecified other impact.
CVSS 6.6
CVE-2018-16421 WRITEUP MEDIUM WRITEUP
OpenSC < 0.18.0 - Buffer Overflow in CAC Card Response Handling
Several buffer overflows when handling responses from a CAC Card in cac_get_serial_nr_from_CUID in libopensc/card-cac.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to cause a denial of service (application crash) or possibly have unspecified other impact.
CVSS 6.6
CVE-2018-16422 WRITEUP MEDIUM WRITEUP
OpenSC < 0.18.0 - Buffer Overflow in esteid Card Response Handling
A single byte buffer overflow when handling responses from an esteid Card in sc_pkcs15emu_esteid_init in libopensc/pkcs15-esteid.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to cause a denial of service (application crash) or possibly have unspecified other impact.
CVSS 6.6
CVE-2018-16423 WRITEUP MEDIUM WRITEUP
OpenSC < 0.18.0 - Double Free in sc_file_set_sec_attr
A double free when handling responses from a smartcard in sc_file_set_sec_attr in libopensc/sc.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to cause a denial of service (application crash) or possibly have unspecified other impact.
CVSS 6.6
CVE-2018-16424 WRITEUP MEDIUM WRITEUP
OpenSC < 0.18.0 - Double Free in eGK Card Tool Response Handling
A double free when handling responses in read_file in tools/egk-tool.c (aka the eGK card tool) in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to cause a denial of service (application crash) or possibly have unspecified other impact.
CVSS 6.6
CVE-2018-16425 WRITEUP MEDIUM WRITEUP
OpenSC < 0.18.0 - Double Free in HSM Card Response Handling
A double free when handling responses from an HSM Card in sc_pkcs15emu_sc_hsm_init in libopensc/pkcs15-sc-hsm.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to cause a denial of service (application crash) or possibly have unspecified other impact.
CVSS 6.6
CVE-2018-16426 WRITEUP MEDIUM WRITEUP
OpenSC <0.19.0-rc1 - Use After Free
Endless recursion when handling responses from an IAS-ECC card in iasecc_select_file in libopensc/card-iasecc.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to hang or crash the opensc library using programs.
CVSS 4.3
CVE-2019-15945 WRITEUP MEDIUM WRITEUP
OpenSC <0.20.0-rc1 - Buffer Overflow
OpenSC before 0.20.0-rc1 has an out-of-bounds access of an ASN.1 Bitstring in decode_bit_string in libopensc/asn1.c.
CVSS 6.4
CVE-2019-15946 WRITEUP MEDIUM WRITEUP
OpenSC <0.20.0-rc1 - Buffer Overflow
OpenSC before 0.20.0-rc1 has an out-of-bounds access of an ASN.1 Octet string in asn1_decode_entry in libopensc/asn1.c.
CVSS 6.4
CVE-2019-19479 WRITEUP MEDIUM WRITEUP
OpenSC <0.20.0-rc3 - Info Disclosure
An issue was discovered in OpenSC through 0.19.0 and 0.20.x through 0.20.0-rc3. libopensc/card-setcos.c has an incorrect read operation during parsing of a SETCOS file attribute.
CVSS 5.5
CVE-2020-26570 WRITEUP MEDIUM WRITEUP
OpenSC <0.21.0-rc1 - Buffer Overflow
The Oberthur smart card software driver in OpenSC before 0.21.0-rc1 has a heap-based buffer overflow in sc_oberthur_read_file.
CVSS 5.5
CVE-2020-26572 WRITEUP MEDIUM WRITEUP
OpenSC <0.21.0-rc1 - Buffer Overflow
The TCOS smart card software driver in OpenSC before 0.21.0-rc1 has a stack-based buffer overflow in tcos_decipher.
CVSS 5.5
CVE-2021-42781 WRITEUP MEDIUM WRITEUP
OpenSC < 0.22.0 - Heap Buffer Overflow in pkcs15-oberthur.c
Heap buffer overflow issues were found in Opensc before version 0.22.0 in pkcs15-oberthur.c that could potentially crash programs using the library.
CVSS 5.3
CVE-2025-24032 WRITEUP CRITICAL WRITEUP
PAM-PKCS#11 <0.6.13 - Privilege Escalation
PAM-PKCS#11 is a Linux-PAM login module that allows a X.509 certificate based user login. Prior to version 0.6.13, if cert_policy is set to none (the default value), then pam_pkcs11 will only check if the user is capable of logging into the token. An attacker may create a different token with the user's public data (e.g. the user's certificate) and a PIN known to the attacker. If no signature with the private key is required, then the attacker may now login as user with that created token. The default to *not* check the private key's signature has been changed with commit commi6638576892b59a99389043c90a1e7dd4d783b921, so that all versions starting with pam_pkcs11-0.6.0 should be affected. As a workaround, in `pam_pkcs11.conf`, set at least `cert_policy = signature;`.